Yijing Liu and Yiming Zhang, Tsinghua University; Baojun Liu, Tsinghua University; Zhongguancun Laboratory; Haixin Duan, Tsinghua University; Quancheng Laboratory; Qiang Li, Qihoo 360; Mingxuan Liu, Zhongguancun Laboratory; Ruixuan Li and Jia Yao, Tsinghua University
Due to the prevalence of scalping and the promotion of real-name ticketing systems, user-oriented mobile ticket grabbing apps have become a popular pattern for scalpers. Compared with traditional scalper-oriented scalping, ticket grabbing apps pose security and privacy risks to users directly. In our study, we take the first step towards revealing the ticket grabbing app ecosystem from the perspectives of app developers, app users, and target platforms synthetically.
We built a large-scale dataset of ticket grabbing apps in the wild within China, containing 758 Chinese ticket grabbing apps with 3,121 versions. Based on the detailed analysis of these apps, we found that ticket grabbing has formed a mature industrial chain, with various specialized technical characteristics to enhance the success rate, such as the abuse of Android accessibility services. We also revealed the profit model of ticket grabbing apps, and disclosed severe security and privacy hazards they pose to end users, including the collection of sensitive information and continuous screenshots. We further conducted an online survey involving 184 participants to get users' usage and privacy concerns on ticket grabbing apps, and regrettably found that users prioritize "tickets" over "privacy". Finally, we proposed an "Indirect Combat" approach to assist in the defense mechanisms. In summary, our findings provide target platforms and users with a better understanding of the ticket grabbing app ecosystem in China, enabling them to better detect and combat these apps.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Yijing Liu and Yiming Zhang and Baojun Liu and Haixin Duan and Qiang Li and Mingxuan Liu and Ruixuan Li and Jia Yao},
title = {Tickets or Privacy? Understand the Ecosystem of Chinese Ticket Grabbing Apps},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {5107--5124},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/liu-yijing},
publisher = {USENIX Association},
month = aug
}